New Microsoft Hotmail: E-Mail Security Reloaded

Microsoft gave eWEEK a deeper look at the security features it has planned for the upcoming version of Microsoft Hotmail. The security goodies are aimed not only at fighting spam, but also fighting phishing by improving authentication and account recovery features.

Microsoft is adding a number of security enhancements under the hood to
help protect Hotmail users.
The changes will be rolled out in the coming months as part of a major
overhaul of Hotmail and will cross a number of areas, including general
account security and password recovery. In a conversation with eWEEK, John
Scarrow, general manager of safety services at Microsoft, detailed the newest features protecting Hotmail
inboxes.

In the area of account
security, Microsoft has added the ability for users to have a one-time
password sent to their cell phone via SMS message in the event they want to
recover their account. In addition, this one-time password can be used when
signing on to public computers at Internet cafes, public libraries and the like
to avoid the possibility of password information being captured
by keyloggers or other malware.

"If you give us your phone number instead of just an alternate e-mail
account, we can send a message to your SMS, and it will come with a one-time
code, and it will say in order to get your account back just type this
one-time code in because we know that the spammer doesn't have that
account," Scarrow said. "The spammer can't afford to have an SMS
account for millions of accounts, even if he got in and put the phone number in
on your behalf. ... It doesn't make sense for their business model," Scarrow
said.
But perhaps the biggest changes are in the area of spam filtering. Microsoft
has added a bunch of features designed to help users filter out junk mail and
improve Hotmail's ability to distinguish junk mail from regular mail. By
learning users' preferences based on how they interact with mail, Hotmail can
help determine which mail is ham-stuff users want-and which is spam, Scarrow
said.
To this end, the company will visually demarcate e-mails from specific
senders that are recognized as legitimate (e.g., a padlock or shield icon). In
addition, a sender can be safe-listed automatically based on
how the account owner interacts with him-for example, if
they regularly exchange e-mails. Likewise, mail from countries or
senders or in languages the user doesn't normally deal with can be marked
as junk mail.

"We're not trying to learn all your behaviors and start saying, -Oh, this
guy doesn't like newsletters that have the word X, Y, Z in them, so this
particular guy should never get that,'" he said. "If you try to get that smart,
you end up typically not necessarily making users happy. But you can use that
type of information to make sure you are reducing the mistakes that are made."
Users will also be able to "sweep" unwanted mail out of their inboxes
and into their other folders to avoid clutter. Junk mail will be tagged so
that when users find a message in their junk mail folder, they will know how it
ended up there and can take action to keep it from happening to similar
messages in the future.
The company is also adding support for DomainKeys Identified Mail (DKIM),
and is following in Google's footsteps with plans for always-on
HTTPS.
"A lot of people felt like Microsoft was biased, only doing SenderID because
that's the one we had pushed early on. ...We think it's the right thing to do for
the industry. We think it will encourage more people to sign their mail with
DKIM," he said.